8471b910ca27f0ca1408d5fbea466040c85de6963e99b97b496a937f241cdf23

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3256	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3572	$_3_.exe
3572	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3572	$_3_.exe
3572	$_3_.exe
3572	$_3_.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 4112	3572	$_3_.exe	94
PID 3572 wrote to memory of 4112	3572	$_3_.exe	94
PID 3572 wrote to memory of 4112	3572	$_3_.exe	94
PID 4112 wrote to memory of 3256	4112	cmd.exe	96
PID 4112 wrote to memory of 3256	4112	cmd.exe	96
PID 4112 wrote to memory of 3256	4112	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\21753.bat" "C:\Users\Admin\AppData\Local\Temp\13CEE210B0034F41B796946A9F7796B8\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3803511929-1339359695-2191195476-1000\$I054H3K

Filesize
98B

MD5
0b501af25fb6d08a4a3f58168b089ecc

SHA1
9c3bc2a76aca27f2ae7b462054b8c9be57476947

SHA256
ab2f51f77f1c38b134f5fc386c139afdac5cafb05d6d2238147c48d18c569365

SHA512
1b956878cff3a7997ddbb35e24d2b936cb5f469bd2662c9ff664e60bd12c001677648c8bbb55280ac031b081c3540c6910d1a89ee3d862483d20ef8989830f11

Download Submit
C:\$Recycle.Bin\S-1-5-21-3803511929-1339359695-2191195476-1000\$IAYOEPL

Filesize
98B

MD5
cda4aa733f0292aa9cb8addcb9ca27b2

SHA1
bc8aee8b67b644cf78d768da9dcf2dd3cc007d0f

SHA256
b7c18bafe48139f027c6b2361e073412709e8d3e4c3400c740290e0b67144255

SHA512
e9a347eb3cb94356318f3666c0c6a7e3d9b05799e43c3b3a8a6abd0bb87a0eb683555e2208e032675bc8915349dff7f76b7dd8e29d8cb9e03dee4fba035dfb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\13CEE210B0034F41B796946A9F7796B8\13CEE210B0034F41B796946A9F7796B8_LogFile.txt

Filesize
2KB

MD5
f62697e4ae0baed612ddd0bc2a925c31

SHA1
59c5f83211e8bc701704a0e950b8700c089d16bd

SHA256
d1f3906eb50e139e25ac3d8c49ef83ca91dd5fda2246989ca0d3987702db32a7

SHA512
e121e27c6803e6a3a756e14034110b6b70f04c002013b87010f5ecbbf54fa5e87230b692293a16492861a551c4d473d5a9c10ad1c8cdce8c41b06b50e1c0ea7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\13CEE210B0034F41B796946A9F7796B8\13CEE210B0034F41B796946A9F7796B8_LogFile.txt

Filesize
4KB

MD5
79c292cc60463f0bf3a485d84ef95efc

SHA1
7365719d6620989d1a2002cf11dd01d5dbad6871

SHA256
6efa5b99e0fb3922db2f68c93efda9dde4b73ac676709ea84006c482ce6ada6f

SHA512
585dfd8628a2ebd602df269f44e8236135af8c13d394d70ecd9efa71092470c6507af7eac8d169dfe074c4213310d540566e211c19d597abab917a5f5a5ecedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\13CEE210B0034F41B796946A9F7796B8\13CEE210B0034F41B796946A9F7796B8_LogFile.txt

Filesize
4KB

MD5
c256229ea9bf855a78d218ad1b37293e

SHA1
5eb7a4134f2d46d9ff48e7cb68562e5e1b0eeaab

SHA256
e0c967022faa7d0d97aad3130cab7e0b00b5164ab62ce4f470f7705f30ac571c

SHA512
363cdf0306f3cc4c49562eabf4af9c8a65fec478f2d16df2ae4d8104f188ef0ac7b2e8f9f1f97d69b2e3bd3874c53085d7b8a0cb5742a657fd89ee27ef6ac0b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\13CEE210B0034F41B796946A9F7796B8\13CEE2~1.TXT

Filesize
26KB

MD5
61c15dd74e1d20f4ee51274e09bcfb48

SHA1
63377acc24571bbc4fee480a6fd7fbcb8336d1eb

SHA256
3191587086e7d6d91b8b67f78deabe92f0ba5527ef8d9a3a4167c40fa3fbe4d6

SHA512
f6f2920a6c2dbbc616b74a55f7476ca6a94348468810847c8b07eb4a60aaf3e61303e0681b3aef1a8c803124f77504cfb1764cdb8cb6e75c041e6ffef176f741

Download Submit
C:\Users\Admin\AppData\Local\Temp\21753.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
memory/3572-65-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download